Microsoft AzureMS Office 365VEEAM

Modern Authentication with Veeam Backup for Office 365

Modern Authentication with Veeam, In this article I will explain how to configure the modern authentication with Veeam Backup for Office 365.

What is Modern Authentication visit Microsoft

Veeam Office 365 Modern Authentication

The release of version 4 of Veeam Backup for Office 365, now we are able to use the so-called modern authentication. This means using service accounts enabled for MFA (multi-factor authentication).

We need an Azure Active Directory custom application and a service account that has MFA (Multi-Facture Authentication) enabled. The custom application (App application) registered in Azure Active Directory will allow Veeam Backup for Office 365 to access the Microsoft Graph API. With this access, we can pick up the data from the “Microsoft Office 365 organization tenant”.

In this strategy, the service account will be used to connect to the EWS and PowerShell services.

Preparation

In instance, we want to use modern authentication with Veeam Backup for Office 365.

The below steps should be done for using the modern authentication.

Register a custom application in Azure Active Directory
Collect your Application ID and Secret
Create a new client secret
Create a new service account in Azure Active Directory
Enable Multi-Factor Authentication (MFA) on this service account
Assign roles to the service account
Grant a service account required roles and permissions
Get App password for an MFA-enabled service account
Add tenant to Veeam with the service account

Create Storage account in Azure

Add Object Storage Repository

Add Azure Blob Storage Repository

Create backup job

Register a custom application in Azure Active Directory

1- Open your Azure Active Directory admin center under the Manage tab and then select App registration.

azure active directory admin center

2- Click on + new registration Under App registrations tab.

azure active directory app registration

3- Enter new custom application a name; select the supported account type and then click on the register button.

azure active directory register an app

4- After creating a new custom application, we need to provide it with some permission. For that go to your newly created app application and then select the + API Permissions button.

azure active directory app permissions

5- Now we need to add Microsoft Graph permissions to our custom app application.
In the request API permissions wizard and then select Microsoft Graph.

azure active directory request api permissions

6- Select Application permissions.

azure active directory application permissions

7- Expand Director Option and select Directory.Read.All. Expand Group option and select Group.Read.All from the list of available permissions, and then click Add permissions
1- Directory.Read.All
2- Group.Read.All

These two permissions are needed to access the organization tenant.

azure application permissions directory
azure request api permissions group

8- This type of permission requires administrator consent. To grant administrator consent, click on Grant admin consent for (tenant name).

azure api permissions

9- Click Yes to confirm granting permissions

azure api permissions grant

10- Successfully granted admin consent for the request permission, Click + Add a permission button.

azure api permissions granted

11- Scroll down and then select SharePoint.

azure request api permissions

12- Select Application permission and expand sites, select Sites.FullControll.all and then click on add permission.

azure request api permissions sites

13- Click on Grant admin consent for (tenant name)

azure api permissions grant

14- Click Yes to confirm granting permissions

azure api permissions grant yes

15- Successfully configured permissions click on + Add a Permission button.

azure api permissions granted

16- Scroll down and then select exchange options

azure request api permissions

17- Choose Application permissions.

azure request api permissions access

18- Click on Grant admin consent for (tenant name)

azure api permissions grant

19- Click Yes to confirm granting permissions

azure api permissions yes

20- We have successfully registered a custom application in your Azure Active Directory and you have successfully set the required permissions.

azure api permissions granted

How to get your Application secret

Create a new client secret

1- To create a new client secret for our newly created custom application. Under Manage select Certificates & secrets and then click on + New client secret button under client secrets.

azure active directory client secret

2- Add a New client secret wizard, specify a description, an expiration date, and then click Add button.

azure active directory certificates & secrets

We have successfully created your application secret. The secret can be reviewed in the main settings area of your custom application under the Certificates & secrets options.

Collect Application Secret

3- To collect application secrets, go to the Certificates & secrets settings within your custom application and copy and then save it in note pad the value of it.

azure active directory certificates & secrets

Collect Application ID

4- The first thing you need to collect the application ID. If you go back to the main site of the app registrations, copy application (client) ID and then save it in a note pad.

azure active directory app registration overview

How to create a new service account in Azure Active Directory

1- Now we need to create the service user, which will connect from Veeam Backup for Office 365 to your tenant. In the Office 365 admin center, click on + new user to create a user without a product license.

azure active directory all users

2- The user which we are going to create will be our service user for MFA (Multi-Factor Authentication). Type a name, initial password and then click on create

azure active directory create new user

How to configure an MFA-enabled service account

After successfully created a service user, now we can proceed with activating MFA for it. Go back to the all users overview within your azure active directory admin center.

3- Select your newly created service user. Select On the top right of the ribbon, and then select Multi-Factor Authentication.

azure user multi-factor authentication

4- Select your service user on the left side and then click enable (MFA) on the right side under quick steps.

multi-factor authentication users

5- Click on enable multi-factor auth button.

about enabling multi-factor auth

6- The account is successfully enabled for MFA. Click close.

multi-factor auth in enabled

7- Now you can review your user which is now enabled for MFA.

multi-factor authentication users

Assign roles to the service account

The user needs the correct permissions and roles to backup Exchange Online and SharePoint Online. We have the choice to do this via the Exchange Admin Center.

For Exchange Online (Global Administrator or Exchange Administrator) role. Additionally, you need the ApplicationImpersonation role.

For SharePoint Online (Global Administrator or SharePoint Administrator) role.

I have this as testing purposes and for this blog post. I would not recommend assigning the Global Administrator in a production environment. Either uses the Exchange Administrator and the SharePoint Administrator role.

1- Select user account (veeam_vbo).

azure active directory domain center

2- Click on Assigned roles under manage and then click on + Add assignments.

azure active directory assigned roles

3- Select the role in the Directory role wizard on the left hand side and then click add.

azure active directory directory roles

4- Successfully assigned the roles.

azure active directory assigned roles

SharePoint Admin Center

1- Login with SharePoint Admin Center, select access control, and then Apps that don’t use modern authentication.

sharepoint admin center access control

2- Verify allow access is selected.

apps that don't use modern authentication

How to grant a service account required roles and permissions

1- Add ApplicationImpersonation role via the Exchange Admin Center. Select the permission tab on the left-hand side. Under admin, roles click the + button to add a new role.

exchange admin center permissions

2- Type a role group name and description. Select the Write Scope to default and then click the + button.

exchange admin center add permissions

3- Under Roles to add the ApplicationImpersonation, Mail Recipient, Mail Search, View only configuration, View only recipient role from the list, and then click ok.

office 365 add permissions roles

5- Add a member, it means our service account for this new role group. For that click on the + button under Members.

exchange admin center add permissions

6- Select your newly created service user, click on add button and then click OK.

office 365 add permissions roles

7- Click on save button.

exchange admin center add permissions

8- The user has been granted the ApplicationImpersonation role.

exchange admin center permissions

To get an app password for an MFA-enabled service account

1- The last thing we need to do before adding our tenant to Veeam Backup for Microsoft Office 365 is to collect your app password. Login with new user account & go through the additional security verification methods for this new account.

microsoft login

2- Now we need to select if we would like to receive text messages or if Microsoft calls you within the configuration of the phone verification. I am going to select an Authentication phone option (country code phone number) and select send me a code by text message and then click Next.

microsoft additional security verification

3- Type the verification code and then click on verify button.

microsoft additional security verification

4- This app password is wanted within the Tenant configuration in Veeam Backup for Office 365. Copy it in notepad or save it for our later use. Click on the done button.

microsoft additional security verification

5- After login to user office 365 account, click on my account icon and then click my account

office 365 login account

6- You will be redirected to https://portal.office.com/account. Under my account select the Security & Privacy tab to create and manage your passwords. Click on create and manage passwords.

office 365 security and privacy

7- Additional security verification (app passwords) click on create button.

microsoft additional security verification

8- Enter a name and then click next.

microsoft create app password

9- Copy your password and save it in notepad and then click close.

microsoft your app password

10- You will need to sign in with this user if you have an existing service account. In the right-hand upper corner, select the settings and then your app settings (Office 365).

office 365 security and privacy

I have created a new user, so I don’t want to do that here.

Add Office 365 organization using modern authentication

Create Storage account in Azure

Add Object Storage Repository

Add Azure Blob Storage Repository

For more details please visit Veeam

Related: Adding an organization fails 401: Unauthorized.

Jamil Parvez

Jamil Pervez works as a Network Administrator, based in Kuwait with a Primary focus on Microsoft technologies. Microsoft Certified MCSE, MCTP, MCITP, CCNP, CCIP, CCVP with 20 years of experience in administering Windows Servers, Exchange, VMWare, Veeam B&R, Veritas BackupExec.

Related Articles

5 Comments

  1. Good post. I learn something totally new and challenging on blogs I StumbleUpon everyday. It’s always useful to read through articles from other authors and use something from other web sites. |

  2. We’re a bunch of volunteers and opening a brand new scheme in our community. Your site provided us with valuable information to work on. You’ve done an impressive task and our whole neighborhood will likely be grateful to you.|

  3. Very good post! We are linking to this particularly great content on our website. Keep up the great writing.

Leave a Reply

Back to top button